How to close an open DNS resolver

The DNS server that we have created in the previous tutorial is an open DNS resolver. An open resolver does not filter any incoming requests, and accepts queries from any source IP address.

Unfortunately, an open resolver can become an easy target to attackers. For example, attackers can initiate a Denial of Service (DoS) or even worse, a Distributed Denial of Service (DDoS) attack on the open DNS server. These attacks can also be combined with IP spoofing, where all the reply packets will be directed to a victim’s spoofed IP address. In another attack scenario called DNS amplification attacks, an open DNS server can actively participate in the attacks.

According to openresolverproject.org, it is not advisable to run an open resolver unless necessary. Most companies keep their DNS servers accessible to only their customers. This tutorial will focus on how to configure a DNS server so that it stops being an open resolver and responds only to valid customers.

Tuning Firewall

As DNS runs on UDP port 53, system admins may attempt to allow port 53 for client IP addresses only, and block the port from the rest of the Internet. Though this will work, there are going to be some problems. Since the communication between the root servers and the DNS servers use port 53 as well, we have to make sure that the IP addresses of the root servers are also allowed on UDP port 53 in the firewall.

A sample firewall script is provided below. For production servers, make sure that the rules match your requirements and also comply with company security policies.

# vim firewall-script
## existing rules are flushed to start with a new set of rules ##
iptables -F

iptables -A INPUT -s A.A.A.A/X -p udp --dport 53 -j ACCEPT
iptables -A INPUT -s B.B.B.B/Y -p udp --dport 53 -j ACCEPT
iptables -A INPUT -s C.C.C.C/Z -p udp --dport 53 -j ACCEPT

iptables -A INPUT -p udp --dport 53 -j DROP

## making the rules persistent ##
service iptables save

Make the script executable and run it.

# chmod +x firewall-script
# ./firewall-script

Blocking Recursive Queries

DNS queries can be primarily categorized as recursive and iterative queries. For a recursive query, the server responds to the client with either the answer or an error message. If the answer is not available in the server cache, the server communicates with the root servers to obtain authoritative name servers. The servers keeps looking up until it gets an answer, or until the query times out. For an iterative query, on the other hand, the server simply refers the client to another server who would be able to process, thus leading to less processing on the server itself.

We can control the IP addresses that are allowed for recursive queries. We modify the configuration file /etc/named.conf and add/modify the following parameters.

# vim /etc/named.conf
## we define ACLs to specify the source address/es ##
acl customer-a{ A.A.A.A/X; };
acl customer-b { B.B.B.B/Y; C.C.C.C/Z; };

## we call the ACLs under options directive ##
options {
        directory "/var/named";
        allow-recursion { customer-a; customer-b; };
};

Tuning Firewall for Open Resolver

If you must run an open resolver, it is recommended that you tune the firewall properly so that your server cannot be exploited. smurfmonitor repository provides a powerful set of iptables rules that can be used in open resolvers, such as blocking requests for domains involved in DNS amplification attacks. The repository is updated periodically, and it is highly recommended for DNS server admins.

To sum up, attacks on open DNS resolvers are common, especially for DNS servers without proper security. This tutorial demonstrated how to disable an open DNS server. We have also seen how iptables can be used to add an additional layer of security to an open DNS server.

Hope this helps.

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

The following two tabs change content below.
Sarmed Rahman is an IT professional in the Internet Industry in Bangladesh. He writes tutorial articles on technology every now and then from a belief that knowledge grows through sharing. During his free time, he loves gaming and spending time with his friends.
Your name can also be listed here. Write for us as a freelancer.

3 thoughts on “How to close an open DNS resolver

    • From Wikipedia:

      DNS primarily uses User Datagram Protocol (UDP) on port number 53 to serve requests.[3] DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. The Transmission Control Protocol (TCP) is used when the response data size exceeds 512 bytes, or for tasks such as zone transfers. Some resolver implementations use TCP for all queries.

  1. From IETF: http://tools.ietf.org/html/rfc5966#section-4

    All general-purpose DNS implementations MUST support both UDP and TCP transport.

    o Authoritative server implementations MUST support TCP so that they do not limit the size of responses to what fits in a single UDP packet.

    o Recursive server (or forwarder) implementations MUST support TCP so that they do not prevent large responses from a TCP-capable server from reaching its TCP-capable clients.

    o Stub resolver implementations (e.g., an operating system's DNS resolution library) MUST support TCP since to do otherwise would limit their interoperability with their own clients and with upstream servers.

Leave a comment

Your email address will not be published. Required fields are marked *